On Thu, Jul 29, 2010 at 9:24 PM, Chris Baines <cbain...@gmail.com> wrote: > Looking in to this further, I think the file in question is xmlparse.c .
I think xmltok.c > I can't find the > offending piece of code in the simgear version probably because it is > just so old and thus very different to the current official version. > This also means that I can't patch it directly without someones > guidance. Does anyone know if this bug applies to the version of > xmlparse.c included in simgear? Yes, our xml parser seems to have similar vulnerability. I doubt it is a terribly important issue, though. Anyway, at least one of the problematic locations is the utf8_toUtf16 function. Notice how it uses equality test when checking for end-of-buffer, while in the loop body it sometimes increments the pointer by more than one, thus possibly failing to detect end-of-buffer. It also merrily reads from[1] and from[2] without ensuring those fall inside the buffer. -- Csaba/Jester ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel